b'\x0cFY 2010 OFFICE OF INSPECTOR GENERAL\nFISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n  TECHNOLOGY SECURITY PROGRAM\n  REPORT NUMBER A100085/O/F/F11001\n\n           December 8, 2010\n\x0cDate:           December 8, 2010\n\nTo:             Casey Coleman\n                Chief Information Officer (I)\n\nReply to        Carolyn Presley-Doss\nAttn of:        Deputy Assistant Inspector General for Finance and Information Technology\n                Audits (JA-F)\n\nSubject:        FY 2010 Office of Inspector General FISMA Review of GSA\xe2\x80\x99s IT Security\n                Program, Report Number A100085/O/F/F11001\n\nThe Federal Information Security Management Act of 2002 (FISMA) directs Inspectors General\n(IGs) to perform an annual independent evaluation of their respective agency\xe2\x80\x99s information\nsecurity program and controls for select systems. This audit report presents the results of the\nOffice of Inspector General\xe2\x80\x99s fiscal year 2010 review of the General Services Administration\xe2\x80\x99s\n(GSA\xe2\x80\x99s) information technology (IT) security program and reflects results from five system\nsecurity audits conducted during the year. Appendix A provides the objective, scope, and\nmethodology for the audit.\n\nOn April 21, 2010, the Office of Management and Budget (OMB) issued annual FISMA\nreporting instructions1 for agencies and IGs. OMB directed IGs to assess agency information\nsecurity performance in key areas, including certification and accreditation, configuration\nmanagement, security training, incident response, remote access, and identity management.\nFurther, OMB has directed Agencies and IGs to use Cyberscope, an Internet-based tool to\nrespond to OMB\xe2\x80\x99s FISMA questions.\n\n                                       RESULTS OF AUDIT\n\nGSA\xe2\x80\x99s Chief Information Officer (CIO) continues to take steps to develop, document, and\nimplement an agency-wide IT security program. For example, the CIO has updated GSA\xe2\x80\x99s IT\nSecurity Policy, published procedural guidance on a variety of information security topics, and\nexpanded the IT security program to cover cloud computing technologies. However, we found\nthat additional steps are needed to strengthen GSA\xe2\x80\x99s IT security program in four key areas: (1)\nsecure configuration of agency systems, (2) oversight of audit logging and monitoring practices,\n(3) implementation of multifactor authentication for systems processing sensitive information,\nand (4) encryption of data on agency laptop computers.\n\n\n1\n OMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management\nAct and Agency Privacy Management, April 21, 2010\n\n\n                                                   1\n\x0c                                         RECOMMENDATIONS\n\nTo improve GSA\xe2\x80\x99s IT Security Program and to ensure the security of GSA systems, data, and\noperations, we recommend that the GSA-CIO take actions to:\n\n      1. Strengthen configuration management practices for GSA systems by:\n\n               a. Increasing oversight of security officials\xe2\x80\x99 application of baseline configuration\n                  requirements, and\n               b. Expanding technical testing processes to include authenticated scanning.\n\n      2. Work with system security officials to prioritize the implementation of audit logging and\n         monitoring controls for GSA systems.\n\n      3. Ensure that all systems that are remotely accessed implement multi-factor authentication,\n         as appropriate.\n\n      4. Implement an encryption solution for agency laptops that integrates into GSA\xe2\x80\x99s network\n         environment.\n\n                                    EXPLANATION OF FINDINGS\n\nExpanding technical testing processes could improve configuration management of agency\nsystems\n\nWhile the GSA-CIO has implemented a testing program with tools that identify vulnerabilities,\nimprovements are needed to better secure agency systems and data. Specifically, we identified\nnumerous weaknesses in all five systems reviewed resulting from security misconfigurations of\ndatabase or operating system software. These weaknesses included database and operating\nsystem software that was not patched or securely configured and lax password management\npractices for database administrator accounts. As a result, these systems and their sensitive data\nwere placed at an increased risk of inappropriate access, modification, or destruction. GSA\xe2\x80\x99s IT\nSecurity Policy requires all information systems be securely hardened and patched while in\noperation. National Institute of Standards and Technology (NIST) Special Publication 800-532\nrequires organizations to configure the security settings of IT systems to the most restrictive\nmode consistent with operational requirements.\n\nWeaknesses occurred for two primary reasons. First, system security officials were not applying\nGSA\xe2\x80\x99s IT Security Policy requirements for baseline configuration. Second, technical testing\nconducted by the GSA-CIO as part of GSA\xe2\x80\x99s oversight was not comprehensive. To strengthen\nconfiguration management of GSA systems, we recommend that the GSA-CIO: (1) increase\noversight of security officials\xe2\x80\x99 application of baseline configuration requirements, and (2) expand\ntechnical testing processes by performing authenticated scans. Authenticated scanning would\nprovide a more comprehensive view as to the implementation of GSA\xe2\x80\x99s IT Security Policy and\nhardening guides by system security officials.\n2\n    NIST SP 800-53, Rev. 2, Recommended Security Controls for Federal Information Systems, December 2007\n\n\n                                                       2\n\x0cAdditional oversight by GSA\xe2\x80\x99s IT security program could assist in ensuring that audit logging\nand monitoring controls are implemented for GSA systems\n\nWhile the GSA-CIO has published policy on audit logging and monitoring, we found\ninconsistent implementation of the policy for three of five systems reviewed, specifically:\n\n       Database audit records, which would capture information such as the modification and\n       deletion of data and administrative actions, were not generated for one system that\n       contains Privacy Act information.\n       Operating system audit records that monitor baseline system data, such as system\n       performance, were not enabled for another system containing Privacy Act information.\n       System security officials were not reviewing audit records for suspicious activity for\n       another system containing sensitive information.\n\nAs a result of not appropriately implementing audit logging and monitoring, system security\nofficials may be unable to identify unauthorized activity or when GSA systems are\ncompromised. Further, investigatory actions in response to security incidents may be hindered.\nGSA\xe2\x80\x99s IT Security Policy requires that security auditing capabilities be employed on all GSA\ninformation systems and that audit records be reviewed frequently for signs of unauthorized\nactivity and other security events.\n\nInconsistent implementation occurred primarily because GSA, in its efforts toward enterprise-\nwide continuous monitoring, has not prioritized the management of audit records for systems that\ncontain sensitive information. To better detect potential security incidents, we recommend that\nthe GSA-CIO work with system security officials to prioritize the implementation of audit\nlogging and monitoring for GSA systems.\n\nBetter planning could help ensure successful implementation of multifactor authentication for\nGSA systems\n\nMultifactor authentication involves accessing IT systems with two or more of the following:\nsomething a user knows (e.g., username and password), something a user has (e.g., smartcard),\nor something a user is (e.g., biometrics). None of the five systems that we reviewed were using\nmultifactor authentication for remote access to sensitive information. All permit access with\nonly a username and password. Further, three of the systems contained sensitive data. As a\nresult, these systems were placed at an increased risk of unauthorized access, disclosure of\nsensitive information, and having their data compromised.\n\nThe lack of multifactor authentication was not addressed as part of the security assessments for\nall five systems reviewed. One system identified this as a requirement, but implementation of\nmultifactor authentication was not tracked and prioritized on the system plan of action and\nmilestones. NIST requires multifactor authentication for remote access to these systems. To\nbetter ensure the security of system data and to enhance access controls, we recommend that the\nGSA-CIO ensure that all systems that are remotely accessed implement multifactor\nauthentication, as appropriate.\n\n\n                                               3\n\x0cGSA must overcome technical challenges for successful implementation of an encryption\nsolution for agency laptops\n\nGSA has not implemented a solution to encrypt agency laptops, a condition we originally\nreported in 2008.3 In response to a 2006 security incident in which a laptop containing\npersonally identifiable information for 26.5 million U.S. military veterans was stolen, the Office\nof Management and Budget now requires agencies to encrypt sensitive data on all mobile\ndevices.4 Encryption refers to converting data into a form that is not easily understood by\nunauthorized individuals. When data on agency laptops is not encrypted, sensitive information\nmay be at increased risk of disclosure and misuse in the event that the laptops are lost or stolen.\n\nGSA laptops are not encrypted because GSA has experienced significant technical problems in\nintegrating the chosen encryption solution in the GSA\xe2\x80\x99s network. To ensure that sensitive\ninformation is adequately protected on agency laptops, we recommend that the GSA-CIO\nimplement an encryption solution for agency laptops that integrates into GSA\xe2\x80\x99s network\nenvironment.\n\n                                  MANAGEMENT COMMENTS\n\nThe GSA-CIO concurred with the findings and recommendations outlined in this report. A copy\nof the GSA-CIO\xe2\x80\x99s comments is included in its entirety in Appendix B.\n\n                                      INTERNAL CONTROLS\n\nThis audit included a review of elements of GSA\xe2\x80\x99s IT Security Program including select\nmanagement, operational, and technical controls for five GSA systems. We did not test all\ncontrols across GSA. The Results of Audit and Recommendations sections of this report state, in\ndetail, the need to strengthen specific processes and controls established within the GSA IT\nSecurity Program.\n\n\nWe would like to express our thanks to the GSA-CIO\xe2\x80\x99s staff for their assistance and cooperation\nduring this audit. Please contact Michael Nussdorfer, Auditor-in-Charge, or me if you have any\nquestions regarding this report.\n\n\n\n\nLarry Bateman\nAudit Manager\nFinance and Information Technology Audit Office (JA-F)\n\n3\n  FY 2008 Office of Inspector General FISMA Review of GSA\xe2\x80\x99s IT Security Program, Report Number\nA080081/O/T/F08016, dated September 11, 2008\n4\n  OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June 23, 2006\n\n\n                                                     4\n\x0c                        FY 2010 OFFICE OF INSPECTOR GENERAL\n                        FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                          TECHNOLOGY SECURITY PROGRAM\n                          REPORT NUMBER A100085/O/F/F11001\n\n             APPENDIX A \xe2\x80\x93 OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine if the General Services Administration (GSA) has\ndeveloped, documented, and implemented an agency-wide information security program. If not,\nwhat additional actions are needed to strengthen information security risk management practices\nfor GSA? To address this objective we:\n\n       Reviewed policies, procedures, technical guides, and standards established within GSA\xe2\x80\x99s\n       IT Security Program\n       Assessed the implementation of GSA\xe2\x80\x99s IT Security Program for five select GSA systems.\n       For these systems, we conducted security audits to determine whether management,\n       operational, and technical controls had been implemented to effectively manage risks.\n       Met with GSA IT security officials in the Office of the GSA Chief Information Officer,\n       Federal Acquisition Service, Public Buildings Service, and the Office of\n       Governmentwide Policy. We also met with GSA\xe2\x80\x99s external auditor, KPMG.\n       Considered results of information systems controls testing performed for the financial\n       statement audit.\n       Evaluated the implementation of information security program elements from National\n       Institute of Standards and Technology (NIST) Special Publication (SP) 800-100,\n       Information Security Handbook: A Guide for Managers, October 2006.\n       Applied the NIST Federal Information Processing Standards Publications and SP 800\n       series security guidelines.\n       Utilized applicable information security regulations, policies, and guidance.\n       Examined system certification and accreditation packages, including system risk\n       assessments, security plans, security assessment results, contingency plans, and system-\n       and program-level plans of action and milestones.\n       Conducted operating system, database, and web application security testing for the select\n       systems we reviewed.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards between January and October of 2010. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nour findings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n                                               A-1\n\x0c FY 2010 OFFICE OF INSPECTOR GENERAL\n FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n   TECHNOLOGY SECURITY PROGRAM\n   REPORT NUMBER A100085/O/F/F11001\n\nAPPENDIX B \xe2\x80\x93 MANAGEMENT COMMENTS\n\n\n\n\n                 B-1\n\x0c                                  FY 2010 OFFICE OF INSPECTOR GENERAL\n                                  FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                    TECHNOLOGY SECURITY PROGRAM\n                                    REPORT NUMBER A100085/O/F/F11001\n\n                                  APPENDIX C \xe2\x80\x93 REPORT DISTRIBUTION\n\n                                                                                                     Electronic Copies\nChief Information Officer (I) ................................................................................................3\n       Senior Agency Information Security Officer (IS) ........................................................1\nCommissioner, Public Buildings Service (P) ........................................................................1\nCommissioner, Federal Acquisition Service (Q) ..................................................................1\nAssociate Administrator, Office of Governmentwide Policy (M) ........................................1\nInternal Control and Audit Division (BEI) ............................................................................1\nAssistant Inspector General for Auditing (JA) ......................................................................1\nDirector, Audit Operations (JAO)..........................................................................................1\nDeputy Assistant Inspector General for Acquisition Audits (JA-A) .....................................1\nDeputy Assistant Inspector General for Real Property Audits (JA-R) ..................................1\nDirector, Administration and Data Systems (JAS) ................................................................1\nAssistant Inspector General for Investigations (JI) ................................................................1\n\n\n\n\n                                                                 C-1\n\x0c'